IPA/AD: globally set krb5 canonicalization flagipa_automatic_enterprise

If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.

Resolves https://fedorahosted.org/sssd/ticket/3041

1 files changed, 6 insertions, 1 deletions

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 4a858fd4d..928c4fe93 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -504,11 +504,16 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
 {
     const char *path;
     errno_t ret;
+    bool canonicalize;
 
     path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
                              AD_KRB5_CONFD_PATH);
 
-    ret = sss_write_krb5_conf_snippet(path);
+    canonicalize = dp_opt_get_bool(
+                             subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
+                             KRB5_CANONICALIZE);
+
+    ret = sss_write_krb5_conf_snippet(path, canonicalize);
     if (ret != EOK) {
         DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
         /* Just continue */